statmount: accept fd as a parameter

Extend `struct mnt_id_req` to take in a fd and introduce STATMOUNT_BY_FD
flag. When a valid fd is provided and STATMOUNT_BY_FD is set, statmount
will return mountinfo about the mount the fd is on.

This even works for "unmounted" mounts (mounts that have been umounted
using umount2(mnt, MNT_DETACH)), if you have access to a file descriptor
on that mount. These "umounted" mounts will have no mountpoint and no
valid mount namespace. Hence, we unset the STATMOUNT_MNT_POINT and
STATMOUNT_MNT_NS_ID in statmount.mask for "unmounted" mounts.

In case of STATMOUNT_BY_FD, given that we already have access to an fd
on the mount, accessing mount information without a capability check
seems fine because of the following reasons:

- All fs related information is available via fstatfs() without any
  capability check.
- Mount information is also available via /proc/pid/mountinfo (without
  any capability check).
- Given that we have access to a fd on the mount which tells us that we
  had access to the mount at some point (or someone that had access gave
  us the fd). So, we should be able to access mount info.

Co-developed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Bhavik Sachdev <b.sachdev1904@gmail.com>
Link: https://patch.msgid.link/20251129091455.757724-3-b.sachdev1904@gmail.com
Acked-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index f6879f282daec2a86aff84244b81c13b8a9f6a21..ec3b16fedd9f29f9d15d14c4eee92df2da5e7430 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5547,31 +5547,49 @@ static int grab_requested_root(struct mnt_namespace *ns, struct path *root)
 
 /* locks: namespace_shared */
 static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
-                       struct mnt_namespace *ns)
+                        struct file *mnt_file, struct mnt_namespace *ns)
 {
-       struct mount *m;
        int err;
 
-       /* Has the namespace already been emptied? */
-       if (mnt_ns_id && mnt_ns_empty(ns))
-               return -ENOENT;
+       if (mnt_file) {
+               WARN_ON_ONCE(ns != NULL);
 
-       s->mnt = lookup_mnt_in_ns(mnt_id, ns);
-       if (!s->mnt)
-               return -ENOENT;
+               s->mnt = mnt_file->f_path.mnt;
+               ns = real_mount(s->mnt)->mnt_ns;
+               if (!ns)
+                       /*
+                        * We can't set mount point and mnt_ns_id since we don't have a
+                        * ns for the mount. This can happen if the mount is unmounted
+                        * with MNT_DETACH.
+                        */
+                       s->mask &= ~(STATMOUNT_MNT_POINT | STATMOUNT_MNT_NS_ID);
+       } else {
+               /* Has the namespace already been emptied? */
+               if (mnt_ns_id && mnt_ns_empty(ns))
+                       return -ENOENT;
 
-       err = grab_requested_root(ns, &s->root);
-       if (err)
-               return err;
+               s->mnt = lookup_mnt_in_ns(mnt_id, ns);
+               if (!s->mnt)
+                       return -ENOENT;
+       }
 
-       /*
-        * Don't trigger audit denials. We just want to determine what
-        * mounts to show users.
-        */
-       m = real_mount(s->mnt);
-       if (!is_path_reachable(m, m->mnt.mnt_root, &s->root) &&
-           !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
-               return -EPERM;
+       if (ns) {
+               err = grab_requested_root(ns, &s->root);
+               if (err)
+                       return err;
+
+               if (!mnt_file) {
+                       struct mount *m;
+                       /*
+                        * Don't trigger audit denials. We just want to determine what
+                        * mounts to show users.
+                        */
+                       m = real_mount(s->mnt);
+                       if (!is_path_reachable(m, m->mnt.mnt_root, &s->root) &&
+                           !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
+                               return -EPERM;
+               }
+       }
 
        err = security_sb_statfs(s->mnt->mnt_root);
        if (err)
@@ -5693,7 +5711,7 @@ static int prepare_kstatmount(struct kstatmount *ks, struct mnt_id_req *kreq,
 }
 
 static int copy_mnt_id_req(const struct mnt_id_req __user *req,
-                          struct mnt_id_req *kreq)
+                          struct mnt_id_req *kreq, unsigned int flags)
 {
        int ret;
        size_t usize;
@@ -5711,11 +5729,17 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req,
        ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize);
        if (ret)
                return ret;
-       if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id)
-               return -EINVAL;
-       /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
-       if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
-               return -EINVAL;
+
+       if (flags & STATMOUNT_BY_FD) {
+               if (kreq->mnt_id || kreq->mnt_ns_id)
+                       return -EINVAL;
+       } else {
+               if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id)
+                       return -EINVAL;
+               /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+               if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
+                       return -EINVAL;
+       }
        return 0;
 }
 
@@ -5762,25 +5786,33 @@ SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req,
 {
        struct mnt_namespace *ns __free(mnt_ns_release) = NULL;
        struct kstatmount *ks __free(kfree) = NULL;
+       struct file *mnt_file __free(fput) = NULL;
        struct mnt_id_req kreq;
        /* We currently support retrieval of 3 strings. */
        size_t seq_size = 3 * PATH_MAX;
        int ret;
 
-       if (flags)
+       if (flags & ~STATMOUNT_BY_FD)
                return -EINVAL;
 
-       ret = copy_mnt_id_req(req, &kreq);
+       ret = copy_mnt_id_req(req, &kreq, flags);
        if (ret)
                return ret;
 
-       ns = grab_requested_mnt_ns(&kreq);
-       if (IS_ERR(ns))
-               return PTR_ERR(ns);
+       if (flags & STATMOUNT_BY_FD) {
+               mnt_file = fget_raw(kreq.mnt_fd);
+               if (!mnt_file)
+                       return -EBADF;
+               /* do_statmount sets ns in case of STATMOUNT_BY_FD */
+       } else {
+               ns = grab_requested_mnt_ns(&kreq);
+               if (IS_ERR(ns))
+                       return PTR_ERR(ns);
 
-       if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
-           !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
-               return -EPERM;
+               if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
+                   !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
+                       return -EPERM;
+       }
 
        ks = kmalloc(sizeof(*ks), GFP_KERNEL_ACCOUNT);
        if (!ks)
@@ -5792,7 +5824,7 @@ retry:
                return ret;
 
        scoped_guard(namespace_shared)
-               ret = do_statmount(ks, kreq.mnt_id, kreq.mnt_ns_id, ns);
+               ret = do_statmount(ks, kreq.mnt_id, kreq.mnt_ns_id, mnt_file, ns);
 
        if (!ret)
                ret = copy_statmount_to_user(ks);
@@ -5932,7 +5964,7 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
        if (!access_ok(mnt_ids, nr_mnt_ids * sizeof(*mnt_ids)))
                return -EFAULT;
 
-       ret = copy_mnt_id_req(req, &kreq);
+       ret = copy_mnt_id_req(req, &kreq, 0);
        if (ret)
                return ret;
 

diff --git a/include/uapi/linux/mount.h b/include/uapi/linux/mount.h
index 5d3f8c9e3a6256b4441a6d7af2e1347f78971777..18c62440526888b86a43018027b827e5755e2ec7 100644 (file)
--- a/include/uapi/linux/mount.h
+++ b/include/uapi/linux/mount.h
@@ -197,7 +197,10 @@ struct statmount {
  */
 struct mnt_id_req {
        __u32 size;
-       __u32 mnt_ns_fd;
+       union {
+               __u32 mnt_ns_fd;
+               __u32 mnt_fd;
+       };
        __u64 mnt_id;
        __u64 param;
        __u64 mnt_ns_id;
@@ -232,4 +235,9 @@ struct mnt_id_req {
 #define LSMT_ROOT              0xffffffffffffffff      /* root mount */
 #define LISTMOUNT_REVERSE      (1 << 0) /* List later mounts first */
 
+/*
+ * @flag bits for statmount(2)
+ */
+#define STATMOUNT_BY_FD                0x00000001U     /* want mountinfo for given fd */
+
 #endif /* _UAPI_LINUX_MOUNT_H */